Systems and methods for tracking and recording events in a network of computing systems

US 10,185,822 B2
Filed: 03/14/2012
Issued: 01/22/2019
Est. Priority Date: 03/14/2012
Status: Active Grant

First Claim

Patent Images

1. A computer security method comprising:

detecting an event associated with an operation performed by a process, the event occurring in a first computing system, wherein detecting the event comprises a security module intercepting the operation at a layer of an operating system of the first computing system;

generating, by a processor of the first computing system, an event identifier for the event, wherein the event identifier uniquely identifies the event in the first computing system and is generated based on information associated with the event;

generating, by the processor, a record for the event, the record comprising the event identifier and details that describe the event;

generating, by the processor, a global identifier for the event, the global identifier comprising the event identifier and attributes of the first computing system on which the event occurred, and wherein the global identifier uniquely identifies the event among other events occurring in a plurality of computing systems including the first computing system;

associating, by the processor, the global identifier with the record for the event;

forwarding, by the processor, the record to a remote computing system for storage in a repository having a plurality of records associated with the plurality of computing systems, each of the records indicative of a respective event detected on a respective computing system;

upon detecting a security breach associated with the first computing system, retrieving, by the remote computing system, one or more of the records associated with the first computing system;

determining, by the remote computing system, that at least one of the retrieved records relates to the security breach; and

providing, by remote computing system, to a forensic investigator the at least one record indicative of at least one event relating to the security breach.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security client can be configured to operate on the one or more computing systems and record all events occurring on the one or more computing systems. The security client can operate as a “security camera” for the computing systems by identifying and retaining data and information that describes and details different events that occur on the computing systems. The security client can be configured to generate event records for the events that are uniquely associated with the process that requested or performed event. Likewise, the security client can be configured to uniquely associate the event records with the specific computing system associated with the event.

49 Citations

View as Search Results

9 Claims

1. A computer security method comprising:
- detecting an event associated with an operation performed by a process, the event occurring in a first computing system, wherein detecting the event comprises a security module intercepting the operation at a layer of an operating system of the first computing system;
  
  generating, by a processor of the first computing system, an event identifier for the event, wherein the event identifier uniquely identifies the event in the first computing system and is generated based on information associated with the event;
  
  generating, by the processor, a record for the event, the record comprising the event identifier and details that describe the event;
  
  generating, by the processor, a global identifier for the event, the global identifier comprising the event identifier and attributes of the first computing system on which the event occurred, and wherein the global identifier uniquely identifies the event among other events occurring in a plurality of computing systems including the first computing system;
  
  associating, by the processor, the global identifier with the record for the event;
  
  forwarding, by the processor, the record to a remote computing system for storage in a repository having a plurality of records associated with the plurality of computing systems, each of the records indicative of a respective event detected on a respective computing system;
  
  upon detecting a security breach associated with the first computing system, retrieving, by the remote computing system, one or more of the records associated with the first computing system;
  
  determining, by the remote computing system, that at least one of the retrieved records relates to the security breach; and
  
  providing, by remote computing system, to a forensic investigator the at least one record indicative of at least one event relating to the security breach.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein generating the event identifier comprises:
    - performing a hash operation on the information associated with the event to generate the event identifier.
  - 3. The method of claim 2, wherein the information comprises at least one of (i) details of the event and (ii) the process and a time the event occurred.
  - 4. The method of claim 1, wherein generating the global identifier comprises:
    - performing a hash operation on the attributes associated with the first computing system and the event identifier to generate the global identifier.
  - 5. The method of claim 1, wherein the event comprises at least one of initiation of the process, a request to start a new process, a request to create a file, a request to modify a file, a request to delete a file, request to create a registry key, a request to delete a registry key, a request to modify a registry key, a request to establish a network connection, and a request to load a binary.
  - 6. The method of claim 1, further comprising:
    - searching, by the remote computing system, event records of at least another one of the computing systems, for at least one event record related to the security breach associated with the first computing system.

7. A method for computer security, the method comprising:
- receiving at least one event record for an event associated with an operation performed by a process executing on a first computing system, the operation intercepted at a layer of an operating system of the first computing system by a security module,wherein the at least one event record comprises details of the event and a global identifier that uniquely identifies the event among events occurring in a plurality of computing systems including the first computing system, andwherein the global identifier comprises an event identifier that uniquely identifies the event in the first computing system and identifies attributes of the first computing system;
  
  storing the at least one event record in a computer readable storage medium having a plurality of records associated with the computing systems, each of the records indicative of a respective event detected on a respective computing system;
  
  upon detecting a security breach associated with the computing system, retrieving one or more of the records associated with the first computing system;
  
  determining that at least one retrieved record relates to the security breach; and
  
  providing to a forensic investigator the at least one retrieved record indicative of at least one event relating to the security breach.
- View Dependent Claims (8, 9)
- - 8. The method of claim 7, wherein the event identifier is generated by performing a hash operation on information associated with the event.
  - 9. The method of claim 7, wherein the global identifier is generated by performing a hash operation on the attributes associated with the first computing system and the event identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbon Black, Inc. (Broadcom, Inc.)
Original Assignee
Carbon Black, Inc. (Broadcom, Inc.)
Inventors
Viscuso, Michael, Johnson, Benjamin, Saunders, Allen, Ruef, Andrew, McFarland, Jason
Primary Examiner(s)
Doan, Trang

Application Number

US13/420,563
Publication Number

US 20130247185A1
Time in Patent Office

2,505 Days
Field of Search

726 22
US Class Current
CPC Class Codes

G06F 21/554 involving event detection a...

Systems and methods for tracking and recording events in a network of computing systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

49 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for tracking and recording events in a network of computing systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links